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Abstract 

Cryptographic  protocols  rely  on  message-passing  to  coordinate  ac¬ 
tivity  among  principals.  Many  richly  developed  tools,  based  on  well- 
understood  foundations,  are  available  for  the  design  and  analysis  of 
pure  message-passing  protocols.  However,  in  many  protocols,  a  prin¬ 
cipal  uses  non-local,  mutable  state  to  coordinate  its  local  sessions. 
Cross-session  state  poses  difficulties  for  protocol  analysis  tools. 

We  provide  a  framework  for  modeling  stateful  protocols,  and  a 
hybrid  analysis  method.  We  leverage  theorem-proving — specifically, 

PVS — for  reasoning  about  computations  over  state.  An  “enrich-by- 
need”  approach — embodied  by  CPSA — focuses  on  the  message-passing 
part.  The  Envelope  Protocol,  due  to  Mark  Ryan  furnishes  a  case 
study. 

Protocol  analysis  is  largely  about  message-passing  in  a  model  in  which  every 
message  transmitted  is  made  available  to  the  adversary.  The  adversary  can 
deliver  the  messages  transmitted  by  the  regular  (i.e.  compliant)  principals, 
if  desired,  or  not.  The  adversary  can  also  retain  them  indefinitely,  so  that  in 
the  future  he  can  deliver  them,  or  messages  built  from  them,  repeatedly. 

However,  some  protocols  also  interact  with  long-term  state.  For  instance, 
the  Automated  Teller  Machine  protocols  interact  with  the  long-term  state 
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stored  in  banks’  account  databases.  Protocol  actions  are  constrained  by  that 
long-term  state;  for  instance,  an  ATM  machine  will  be  told  not  to  dispense 
cash  to  a  customer  whose  account  has  insufficient  funds.  Protocol  actions 
cause  updates  to  long-term  state;  for  instance,  a  successful  withdrawal  re¬ 
duces  the  funds  in  the  customer’s  account.  State-manipulating  protocols  are 
important  to  electronic  finance  and  commerce.  They  are  also  important  in 
trusted  computing,  i.e.  in  systems  using  Trusted  Platform  Modules  for  attes¬ 
tation  and  secrecy.  Indeed,  as  software  interacts  with  real-world  resources  in 
interoperable  ways,  cryptographic  protocols  that  manipulate  long-term  state 
will  be  increasingly  central. 

Long-term  state  is  fundamentally  different  from  message  passing.  The 
adversary  can  always  choose  to  redeliver  an  old  message.  But  he  cannot 
choose  to  redeliver  an  old  state;  for  instance,  the  adversary  in  an  ATM  net¬ 
work  cannot  choose  to  replay  a  withdrawal,  applying  it  to  a  state  in  which  he 
has  sufficient  funds,  in  case  he  no  longer  does.  Regular  principals  maintain 
long-term  state  across  protocol  executions  in  order  to  constrain  subsequent 
executions,  and  ensure  that  future  runs  will  behave  differently  from  past 
runs. 

The  Cryptographic  Protocol  Shapes  Analyzer  [24]  (cpsa)  is  our  program 
for  automatically  characterizing  the  possible  executions  of  a  protocol  com¬ 
patible  with  a  specified  partial  execution.  It  is  grounded  in  strand  space 
theory.  There  exists  a  mathematically  rigorous  theory  [18]  that  backs  up 
the  implementation  of  CPSA  in  Haskell,  and  proves  the  algorithm  produces 
characterizations  that  are  complete,  and  that  the  algorithm  enumerates  these 
characterizations. 

Part  of  state  manipulation  can  be  encoded  by  message-passing.  In  this 
“state-passing  style,”  reception  of  a  message  bearing  the  state  represents 
reading  from  the  state,  and  transmission  of  an  updated  state  as  a  message 
represents  writing  to  the  state.  These  conventions  help  CPSA  analyze  proto¬ 
cols  with  state.  If  a  protocol  interacts  with  the  state,  we  add  state-bearing 
receive/transmit  event  pairs  to  its  roles,  and  CPSA  attempts  to  find  paths 
through  state  space  as  it  generates  executions.  However,  CPSA  constructs 
some  executions  which  are  in  fact  not  possible.  In  these  executions,  a  state¬ 
bearing  message  is  transmitted  from  one  node  and  then  received  by  two 
different  state-receiving  nodes. 

CPSA  does  not  recognize  that  this  is  not  possible  in  a  state-history,  and 
thus  provides  only  an  approximate  analysis.  Showing  the  correctness  of  the 
protocol  requires  a  more  refined  analysis. 
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Our  contribution.  We  apply  CPSA  to  a  system  that  relies  on  state,  cou¬ 
pling  CPSA  with  the  Prototype  Verification  System  [21]  (pvs)  proof  assistant. 

We  specified  a  version  of  strand  space  theory  in  pvs.  On  top  of  this 
theory,  we  encoded  the  result  of  a  CPSA  analysis  run  as  a  formula  in  the 
PVS  logic.  This  formula  is  justified  by  the  CPSA  completeness  result  [23]. 
We  then  use  this  formula  as  an  axiom  in  PVS.  Proofs  using  this  axiom  may 
imply  the  existence  of  additional  message  transmission/receptions,  leading  to 
an  enriched  CPSA  analysis.  In  this  way  the  theorem-proving  and  execution¬ 
finding  analysis  activities  cooperate,  over  the  common  semantic  foundation 
of  strand  space  theory.  Hence,  the  combination  is  semantically  sound. 

Outline  of  the  Analysis.  Our  paradigm  is  CPSA’s  enrich-by-need  ap¬ 
proach  [  ] .  That  is,  we  ask:  What  kinds  of  executions  are  possible,  assuming 

that  a  particular  pattern  of  events  has  occurred?  To  verify  authentication 
properties,  we  observe  that  all  executions  contain  certain  required  events.  To 
verify  confidentiality  properties,  we  consider  patterns  that  include  a  disclo¬ 
sure,  and  observing  that  no  executions  are  possible.  Our  method  involves  a 
conversation  (so  to  speak)  between  CPSA  and  PVS.  The  main  steps  are: 

1.  Within  PVS  we  define  theories  (i)  Tbnd  of  strand  spaces  and  protocol 
executions  (“bundles”)  and  (ii)  Tstate  of  transition  relations  and  their 
state  histories  (see  Fig.  1).  Tannot  is  their  union,  a  theory  of  protocol 
executions  where  some  protocol  steps  are  annotated  with  a  state  tran¬ 
sition.  Augmenting  Tbnd  with  information  about  a  protocol  n  produces 
Tbnd,  (n).  Augmenting  Tstate  with  information  about  a  particular  transi¬ 
tion  relation  -w  produces  Tstate(~^>).  The  union  of  Tannot,  Tbnd(Il),  and 
Tstate  (^"0  IS  Tannot  (n,  ~'*) . 

Our  PVS  theories  are  in  fact  somewhat  coarser  than  this. 

2.  Within  the  state  transition  theory  T5iate(~^),  we  prove  lemmas  in  PVS 
such  as  Lemma  1  below.  Some  of  their  consequences  in  the  anno¬ 
tated  protocol  theory  Tannot(Jl ,  -w)  use  only  the  limited  vocabulary  of 
Tbnd(Tl );  we  call  them  bridge  lemmas.  Lemma  3  is  a  bridge  lemma. 
They  bring  information  back  from  the  state  world  to  the  protocol  world. 

3.  Independently,  CPSA  analyzes  the  protocols,  with  state-manipulation 
modeled  as  message-passing,  but  without  any  special  knowledge  about 
state  transition  histories.  A  sentence,  called  a  shape  analysis  sen¬ 
tence  [22,  15],  summarizes  its  results  in  a  sentence  in  the  language 


3 


Tbnd 


^fend(n) 


^  - 

Tannot  TannotiJ^-i 

Estate  ^  T state  (/S//^) 

Figure  1:  Theory  Inclusions 

of  Tbnd{ n).  A  shape  analysis  sentence,  such  as  Lemma  2,  is  used  as  an 
axiom  in  proofs  within  PVS. 

4.  Using  bridge  lemmas  and  state  analysis  sentences  jointly,  we  infer  con¬ 
clusions  about  protocol  runs  in  Thnd(U).  If  we  prove  a  contradiction, 
that  shows  that  the  situation  given  to  CPSA  cannot  in  fact  occur.  Oth¬ 
erwise,  we  may  prove  that  additional  message  transmissions  and  recep¬ 
tions  occurred,  as  in  Thm.  4. 

5.  We  incorporate  these  additional  nodes  into  a  new  CPSA  starting  point, 
and  allow  CPSA  to  draw  conclusions.  Additional  round  trips  are  possi¬ 
ble. 


Structure.  The  body  of  this  paper  describes  an  application  of  our  method 
to  the  Envelope  Protocol,  a  protocol  that  interacts  with  a  Trusted  Platform 
Module  (TPM)  to  achieve  an  important  security  goal.  Section  1  describes 
the  protocol  II.  Section  2  describes  our  TPM  model,  Section  3 

presents  the  theory  of  bundles  Tbnd  encoded  within  PVS,  and  specializes  this 
to  Tbnd(H),  demonstrating  our  main  trick  of  including  state-bearing  receive- 
transmit  pairs  to  encode  the  state  transitions.  Section  4  describes  CPSA,  our 
protocol  analysis  tool  and  what  results  CPSA  infers  in  Tbnd(U).  Section  5 
links  the  state  world  and  the  protocol  world  Tannot{H,  -w).  The  relevant 
bridge  lemma  is  stated  and  applied  to  prove  the  Envelope  Protocol  security 
goal. 

1  The  Envelope  Protocol 

The  proof  of  an  important  security  goal  of  the  Envelope  Protocol  [2]  was  the 
focus  of  most  of  our  effort.  The  protocol  allows  someone  to  package  a  secret 
such  that  another  party  can  either  reveal  the  secret  or  prove  the  secret  never 
was  and  never  will  be  revealed. 
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Protocol  motivation.  The  plight  of  a  teenager  motivates  the  protocol. 
The  teenager  is  going  out  for  the  night,  and  her  parents  want  to  know  her 
destination  in  case  of  emergency.  Chafing  at  the  loss  of  privacy,  she  agrees  to 
the  following  protocol.  Before  leaving  for  the  night,  she  writes  her  destination 
on  a  piece  of  paper  and  seals  the  note  in  an  envelope.  Upon  her  return,  the 
parents  can  prove  the  secret  was  never  revealed  by  returning  the  envelope 
unopened.  Alternatively,  they  can  open  the  envelope  to  learn  her  destination. 

The  parents  would  like  to  learn  their  daughter’s  destination  while  still 
pretending  that  they  have  respected  her  privacy.  The  parents  are  thus  the 
adversary.  The  goal  of  the  protocol  is  to  prevent  this  deception. 

Necessity  of  long-term  state.  The  long-term  state  is  the  envelope.  Once 
the  envelope  is  torn  open,  the  adversary  no  longer  has  access  to  a  state  in 
which  the  envelope  is  intact.  A  protocol  based  only  on  message  passing  is 
insufficient,  because  the  ability  of  the  adversary  monotonically  increases.  At 
the  beginning  of  the  protocol  the  adversary  can  either  return  the  envelope 
or  tear  it.  In  a  purely  message-based  protocol  the  adversary  will  never  lose 
these  abilities. 

Cryptographic  version.  The  cryptographic  version  of  this  protocol  uses  a 
TPM  to  achieve  the  security  goal.  Here  we  restrict  our  attention  to  a  subset 
of  the  TPM’s  functionality.  In  particular  we  model  the  TPM  as  having  a 
state  consisting  of  a  single  Platform  Configuration  Register  (PCR)  and  only 
responding  to  five  commands.  A  boot  command  sets  the  PCR  to  a  known 
value.  The  extend  command  takes  a  piece  of  data,  d,  and  replaces  the 
current  value  val  of  the  PCR  with  the  hash  of  d  and  val,  i.e.  #(d,val). 
In  fact,  the  form  of  extend  that  we  model,  which  is  an  extend  within  an 
encrypted  session,  also  protects  against  replay.  These  are  the  only  commands 
that  alter  the  value  in  a  PCR. 

The  TPM  provides  other  services  that  do  not  alter  the  PCR.  The  quote 
command  reports  the  value  contained  in  the  PCR  and  is  signed  in  a  way  as 
to  ensure  its  authenticity.  The  create  key  command  causes  the  TPM  can 
create  an  asymmetric  key  pair  where  the  private  part  remains  shielded  within 
the  TPM.  However,  it  can  only  be  used  for  decryption  when  the  PCR  has  a 
specific  value.  The  decrypt  command  causes  the  TPM  to  decrypt  a  message 
using  this  shielded  private  key,  but  only  if  the  value  in  the  PCR  matches  the 
constraint  of  the  decryption  key. 
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In  what  follows,  Alice  plays  the  role  of  the  teenaged  daughter  packaging 
the  secret.  Alice  calls  the  extend  command  with  a  fresh  nonce  n  in  an 
encrypted  session.  She  uses  the  create  key  command  constraining  that 
new  key  to  be  used  only  when  a  specific  value  is  present  in  the  PCR.  In 
particular,  the  constraining  value  cv  she  chooses  is  the  following: 

cv  =  #(  “obtain”,  #(n,  val )) 

where  val  was  the  PCR  value  prior  the  extend  command.  She  then  encrypts 
her  secret  v  with  this  newly  created  key. 

Using  typical  message  passing  notation,  Alice’s  part  of  the  protocol  might 
be  represented  as  follows  (where  k'  denotes  the  key  created  in  the  second  line, 
and  where  we  still  ignore  the  replay  protection): 


A  ->•  TPM 
A  ->■  TPM 
TPM  ->■  A 
A  — >■  Parent 


{|  “extend”, n|}fe 

“create  key” ,  #( “obtain” ,  #(n,  val)) 
k' 


The  parent  acts  as  the  adversary  in  this  protocol.  We  assume  he  can  per¬ 
form  all  the  normal  Dolev-Yao  operations  such  as  encrypting  and  decrypting 
messages  when  he  has  the  relevant  key,  and  interacting  with  honest  proto¬ 
col  participants.  Most  importantly,  the  parent  can  use  the  TPM  commands 
available  in  any  order  with  any  inputs  he  likes.  Thus  he  can  extend  the  PCR 
with  the  string  obtain  and  use  the  key  to  decrypt  the  secret.  Alternatively, 
he  can  extend  the  PCR  with  the  string  refuse  and  then  generate  a  TPM 
quote  as  evidence  the  secret  will  never  be  exposed.  The  goal  of  the  Envelope 
Protocol  is  to  ensure  that  once  Alice  has  prepared  the  TPM  and  encrypted 
her  secret,  the  parent  should  not  be  able  to  both  decrypt  the  secret  and  also 
generate  a  refusal  quote,  {|  “quote” ,  #( “refuse” ,  #(n,  val)),  {|u|}fc'|}ai/o- 

A  crucial  fact  about  the  PCR  role  in  this  protocol  is  the  injective  nature 
of  the  hashing,  ensuring  that  for  every  x 


#(  “obtain  ”,#(n,ml))  ^  #(  “ref  use”,  a;)  (1) 


2  The  TPM  Model 

In  this  section  we  introduce  our  TPM  state  theory  Tstate  (~»)  focusing  on 
representing  the  value  of  the  PCR  and  how  the  TPM  commands  may  change 
it. 
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Sorts: 

Subsorts: 

Operations: 


Equations: 


M,  T,  A,  S,  D,  E 

A<T,  S<T,  D<T,  E<T 

bt  :  M  TPM  boot 


(I  '  !}(•) 

(I  •  Do 

(•r1 

(r1 

# 

Si 

d  i 
e* 

Si 

a  i_1  = 
Vk  :  A. 


:  T  xM->M 
:TxT4T 
:  T  x  A  — )•  T 
:  T  x  S  — x  T 

:  A  ->  A 
:  S  — )■  S 
:  T  — X  S 

:  A 
:  S 
:  D 
:  E 

:  T 

bj  bj~x  =  a  * 
(A;-1)"1  =  k 


TPM  extend 
Pairing 

Asymmetric  encryption 
Symmetric  encryption 
Asymmetric  key  inverse 
Symmetric  key  inverse 
Hashing 

Asymmetric  key  constants 
Symmetric  key  constants 
Data  constants 
Text  constants 
Tag  constants 

(i  e  N) 

Vk-.S.k-1  =  k 


Figure  2:  Crypto  Algebra  with  State  Signature 


Fig.  2  shows  the  signature  of  the  order-sorted  algebra  used  in  this  paper. 
Sort  M  is  the  sort  of  TPM  machine  states  and  sort  T  is  the  top  sort  of 
messages.  Messages  of  sort  A  (asymmetric  keys),  sort  S  (symmetric  keys), 
sort  D  (data),  and  sort  E  (text)  are  called  atoms.  Messages  are  atoms,  tag 
constants,  or  constructed  using  encryption  {|  •  |}(.),  hashing  #(•),  and  pairing 
(-,-),  where  the  comma  operation  is  right  associative  and  parentheses  are 
omitted  when  the  context  permits. 

The  algebra  is  the  initial  quotient  term  algebra  over  the  signature.  It  is 
easy  to  show  that  each  term  t  of  the  algebra  is  equal  to  a  unique  term  t' 
with  no  occurrences  of  the  inverse  operation  (-)-1;  we  choose  this  t!  to  be  the 
canonical  representative  of  t. 

We  use  the  function  per  to  coerce  TPM  states,  which  are  of  sort  M,  to 
messages,  specifically  to  symmetric  keys  of  sort  S: 

per  :  M  — x  S 
per  (bt)  =  s0 

pcr(ex(t,m))  =  #(t,pcr(m)) 
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where  constant  So  is  known  to  all.  Modeling  the  injectivity  of  the  hash 
function  (cf.  Equation  1),  we  postulate  that  the  function  per  is  injective. 
The  definition  of  the  TPM  transition  relation  -w  is 

m0  -w  m i  iff  mi  —  bt  (boot) 

or  3 1 :  T.  m\  =  ex(t,  mo)  (extend) 

or  mo  =  mi  (quote,  decrypt) 

The  create  key  command  does  not  interact  with  the  state. 

In  this  framework  we  prove  a  crucial  property  of  all  executions  which  we 
express  in  terms  of  the  notion  of  a  state  having  a  message.  A  state  has  a 
message  if  an  extend  operation  with  it  is  part  of  the  state.  For  example, 
ex( “obtain”,  ex(w,  bt))  has  “obtain”  and  v,  but  it  does  not  have  “refuse”. 

An  infinite  sequence  of  states  n  is  a  path  if  7r(0)  =  bt  and  V*  G  N.  (tt (i), 
n(i  +  1))  G  Paths  in  this  TPM  model  have  several  useful  properties.  For 
example,  if  a  previous  state  is  not  a  subterm  of  a  state,  there  must  have  been 
an  intervening  boot.  Also,  if  a  state  has  a  message,  and  a  previous  state  is  a 
boot  state,  there  must  have  been  an  intervening  transition  that  extends  with 
the  message.  These  two  properties  can  be  combined  into  the  property  used 
by  the  proof  of  the  Envelope  Protocol  security  goal:  if  a  previous  state  is  not 
a  subterm  of  a  state  that  has  a  message,  there  must  have  been  an  intervening 
transition  that  extends  with  the  message.  Lemma  1  formalizes  this  property 
in  our  state  theory  Tstate (~»),  and  we  proved  it  using  PVS. 

Lemma  1  (Prefix  Boot  Extend). 

W  G  path,  t :  T,  i,  k  G  N.  i  <  k  A  tt (k)  has  t 
D  subterm(7r(i),  7r(k)) 

V3jeN.i<j<kA  7 r(j  +  1)  =  ex(t,  n  (j)) 

3  Strand  Spaces 

This  section  introduces  our  strand  space  theory  of  the  envelope  protocol, 
Tbnd  (II).  In  strand  space  theory  [25],  a  strand  represents  the  local  behavior 
of  a  principal  in  a  single  session.  The  trace  of  a  strand  is  a  linearly  ordered 
sequence  of  events  eo  =>  •  •  •  =>■  en_i,  and  an  event  is  either  a  message  trans¬ 
mission  +t  or  a  reception  —  t,  where  t  has  sort  T.  A  strand  space  0  is  a  map 
from  a  set  of  strands  to  a  set  of  traces.  In  the  PVS  theory  of  strand  spaces, 
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the  set  of  strands  is  a  prefix  of  the  natural  numbers,  so  a  strand  space  is  a 
finite  sequence  of  traces. 

In  a  strand  space,  a  node  identifies  an  event.  The  nodes  of  strand  space 
0  are  {(s,  i)  [  s  G  Dom(Q),  0  <  i  <  |0(s)|},  and  the  event  at  a  node  is 
evt@(s,i )  =  0(s)(«). 

A  message  to  is  carried  by  t±,  written  to  □  t\  if  t0  can  be  extracted  from  a 
reception  of  t\ ,  assuming  the  necessary  keys  are  available.  In  other  words,  jT 
is  the  smallest  reflexive,  transitive  relation  such  that  to  ^  to,  to  E  (to,ti), 
ti  C  (t0,  t\),  and  t0  Q  {|to|}n-  A  message  originates  in  trace  c  at  index  i  if  it  is 
carried  by  c(i),  c(i)  is  a  transmission,  and  it  is  not  carried  by  any  event  earlier 
in  the  trace.  A  message  t  is  non- originating  in  a  strand  space  0,  written 
non(Q,t),  if  it  originates  on  no  strand.  A  message  t  uniquely  originates  in  a 
strand  space  0  at  node  n,  written  uniq(Q,t,n),  if  it  originates  in  the  trace 
of  exactly  one  strand  s  at  index  i,  and  n  =  (s,i). 

The  model  of  execution  is  a  bundle.  The  pair  T  =  (0,  — >•)  is  a  bun¬ 
dle  if  it  defines  a  finite  directed  acyclic  graph,  where  the  vertices  are  the 
nodes  of  0,  and  an  edge  represents  communication  (— or  strand  succes¬ 
sion  (=>)  in  0.  For  communication,  if  %  — >  ni,  then  there  is  a  message  t 
such  that  evtQ(n0 )  =  +t  and  evtsfoi)  =  —t.  For  each  reception  node  n \ , 
there  is  a  unique  transmission  node  n0  with  n0  — *  n\.  We  use  -<  to  denote 
the  causal  ordering  of  nodes  in  a  bundle:  the  transitive  closure  of  — >  U  =$>. 
The  strand  space  associated  with  a  bundle  T  will  be  denoted  0r  unless  the 
association  is  clear  from  the  context. 

When  a  bundle  is  a  run  of  a  protocol,  the  behavior  of  each  strand  is 
constrained  by  a  role.  Adversarial  strands  are  constrained  by  roles  as  are 
non-adversarial  strands.  A  protocol  is  a  set  of  roles,  and  a  role  is  a  set  of 
traces.  A  trace  c  is  an  instance  of  role  r  if  c  is  a  prefix  of  some  member  of  r. 
More  precisely,  for  protocol  P,  we  say  that  bundle  T  =  (0,  — *)  is  a  run  of 
protocol  P  if  there  exists  a  role  assignment  ra  G  Dom(Q)  — >  P  such  that  for 
all  s  G  Dom(Q),  0(s)  is  an  instance  of  ro(s).  In  what  follows,  we  fix  the 
protocol  P  and  only  consider  bundles  that  are  runs  of  P. 

The  roles  that  constrain  adversarial  behavior  are  defined  by  the  functions 
in  Figure  3.  The  adversary  can  execute  all  instances  of  these  patterns.  For 
the  encryption  related  roles,  k  :  A  |  S  asserts  that  k  is  either  a  symmetric  or 
asymmetric  key.  For  the  create  role,  t  :  A|S|D|E  asserts  that  t  is  an  atom. 
Atoms,  characteristically,  are  what  the  adversary  can  create  out  of  thin  air 
(modulo  origination  assumptions). 

There  is  a  role  for  each  TPM  operation.  We  represent  them  using  a  state- 
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create(t :  A|S|D|E)  =  +t  tag{  =  +gj 
pair  (to  :  T  ,ti  :  T)  =  -t0  =>•  ~h  ^  +(t0,ti) 
sep(t0  :  T,ti  :  T)  =  ~(t0,ti)  =>■  +t0  ^  +h 
enc(t :  T,  k  :  A | S)  =  —  t  =>•  —k  =>•  +{|t|}fc 
dec(t :  T,  k  :  A|S)  =  —  {|£|}fc  =>•  —  k^1  =>  +t 
hash(t :  T)  =  —  t  =>•  +#t 

Figure  3:  Adversary  Traces 

passing  style.  The  state-passing  style  allows  CPSA  to  do  draw  conclusions 
about  where  states  could  come  from.  Each  role  receives  a  message  encoding 
the  state  at  the  time  it  occurs.  It  transmits  a  message  encoding  the  state 
after  any  state  change  it  causes.  We  do  the  encoding  using  a  special  tag  g0 
and  an  encryption.  For  a  transition  mo  mi,  the  role  contains 

■■■=>  —  (I  Sin  Pcr(mo)\}#k  =>  +{|g0,pcr(mi)|}#fc  =►■■■. 

Here  k  is  an  uncompromised  symmetric  key  used  only  in  TPM  operations. 
The  states  are  encoded  as  encryptions  using  the  hash  #k  of  k.  Tag  g0  is 
included  to  ensure  that  a  state-bearing  message  is  never  confused  with  any 
other  protocol  message.  State-passing  style  is  less  restrictive  than  actual 
state  histories,  since  a  state-bearing  message  may  be  received  many  times, 
even  if  it  is  sent  only  once. 

Using  these  receive-transmit  pairs  of  state-bearing  messages  the  TPM 
roles  are  represented  in  Fig.  4,  where  tag  gl  is  obtain  and  tag  g2  is  refuse. 
In  the  extend  role,  we  now  show  the  two  initial  messages  that  provide  replay 
prevention;  the  TPM  supplies  a  fresh  nonce  as  a  session  ID  that  must  appear 
with  the  value  to  be  extended  into  the  PCR.  The  createkey  role  does  not 
interact  with  the  state.  It  simply  creates  a  key  that  will  be  constrained  by 
the  state  in  the  boot  role. 

Alice’s  role,  including  the  messages  to  prevent  replays,  is: 

alice(sid,  v  :  D,  esk  :  S,  k,  tpmk,  aik  :  A,  n  :  E,p  :  T)  = 

+  (g4,  tpmk ,  {\esk$tpmk)  =►  -(g4,  sid) 

=>  +{|g5,ra>  sid \}esk  =>  +(g9,#(gi ,#(n,p))) 

^  —  {|  §8;  ifci&li  P))  aik  +{M}fc 

The  parameters  sid  and  tpmk  help  prevent  replays.  To  make  formulas  more 
comprehensible,  we  omit  them. 
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boot(k  :  S,p  :  T)  = 

-g3  =>  ~{\  go,  P\}#k  =>  +{|  g0,s0  | }#k 

extend(sid  :  D,  tprrik  :  A,  esk,  k  :  S,p,  t :  T)  = 

-(g4,  tpmk,  {\esk\}tpmk)  =>  +(g4,  sid)  =>  -{|  g 5,t,  sid$esk 
^  —  (I  go>  Pll#fc  ^  +(l  go ,  P )  |}#fc 

quote{k  :  S,  aik  :  A ,p,n  :  T)  = 

-(ge.w)  =►  “(I  go, P\}#k  =>  +{\  go,  P\}#k  =>  +{|  g6,P,n\}aik 
decrypt(;m,  t :  T,  k' ,  aik  :  A,  k  :  S)  = 

-(gr>  (I m\ik’)  =►  -{|  g8,  =►  -{|  g0,  P\}#k  =>  +{|  g0,  P\}#k  =>  +m 

createkey(k,  aik  :  A,  t :  T)  = 

-(g9,t)  =►  +{|  g8,k,t\}aik 


go 

state 

g2 

refuse 

g4 

session  g6 

quote 

gs 

created 

gl 

obtain 

g3 

boot 

g5 

extend  g7 

decrypt 

go 

create  key 

Figure  4:  State-Bearing  Traces 


4  CPSA 

This  section  discusses  how  we  use  our  analysis  tool  CPSA  to  infer  results  in  the 
theory  Thnd(U).  CPSA  carries  out  enrich- by-need  analysis,  and  characterizes 
the  set  of  bundles  consistent  with  a  partial  description  of  a  bundle. 

These  partial  descriptions  are  called  skeletons.  CPSA  takes  as  input  an 
initial  skeleton  Ao,  and  when  it  terminates  it  outputs  a  set  of  more  descriptive 
skeletons  They  have  the  property  that  any  bundle  containing  the 

structure  in  the  initial  skeleton  Ao  also  contains  all  the  structure  in  one 
of  the  output  skeletons  B,.  In  particular,  it  infers  all  of  the  non- adversarial 
behavior  that  must  be  present  in  any  bundle  satisfying  the  initial  description. 
Of  course  for  some  initial  skeletons  Ao,  there  may  be  no  bundles  that  are 
consistent  with  them.  In  this  case,  CPSA  outputs  the  empty  set. 

The  security  goal  for  the  Envelope  Protocol  is  that  a  run  of  Alice’s  role 
should  ensure  that  the  secret  and  the  refusal  certificate  are  not  both  available: 

Security  Goal  1.  Consider  the  following  events: 
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alice 


g4,  tpmk,{\esk\jtpmk 


g4,  sid 


{I  g5>n>  sid\}esk 


g9,#(gi  ,#(n,p)) 


{I  g0iPcr(ex(&2,ex(,niP)))\}aik 


{\g8,#(gli#(niP))\}aik 


M* * 


Figure  5:  Alice  Point-Of-View 

•  An  instance  of  the  Alice  role  runs  to  completion,  with  secret  v  and 
nonce  n  both  freshly  chosen; 

•  v  is  observed  unencrypted; 

•  the  refusal  certificate  {|  “quote”,  ^(“refuse”,  #(n,  val)),  {|u|}fc'|}aifc  is 
observed  unencrypted. 

These  events,  which  we  call  jointly  A0,  are  not  all  present  in  any  execution. 

We  can  feed  CPSA  an  input  skeleton  A0  representing  this  undesirable 
situation.  The  skeleton  Ao  is  visualized  in  Fig.  5. 

We  would  hope  CPSA  could  determine  that  no  bundles  are  consistent 
with  this  input  Ao  and  return  the  empty  set.  However,  our  technique  of 
using  state-bearing  messages  to  represent  the  TPM  state  transitions  under¬ 
constrains  the  set  of  possible  state  paths.  For  this  reason,  CPSA  actually 
produces  one  skeleton  in  its  output.  This  skeleton  represents  some  activity 
that  must  have  occured  within  the  TPM  in  any  bundle  conforming  to  the 
initial  skeleton.  It  contains  an  instance  of  the  decrypt  role  (to  explain  the 
secret  leaking),  an  instance  of  the  quote  role  (to  explain  the  creation  of  the 
refusal  token),  and  several  instances  of  the  extend  role  (to  explain  how  the 
TPM  state  evolved  in  order  to  allow  the  other  two  operations). 

Fig.  6  displays  the  relevant  portion  of  CPSA’s  output  displaying  only  the 
state-bearing  nodes  of  the  extend  strands  inferred  by  CPSA.  Notice  that  two 
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{|  go ,  per  (p)|}#fc 


■>  extend 


g0  is  state 


,  ,  {|go;-Pcr(ex(n,p))|}#fc 

extend  < - 


flg0,pcr(ex(n,p))|}#fc 
- >  extend 


{I  go>PcKex(gi>ex(n>P))l}#fc 


gx  is  obtain 
g2  is  refuse 


{|  g0,pcr(ex(g2,ex(n,p))|}#fc  4 
< - • 


Figure  6:  State  Splitting 


of  the  extend  strands  branch  off  from  the  third  strand.  This  is  a  state  split 
in  which  a  single  state  evolves  in  two  distinct  ways.  The  technique  of  using 
state-bearing  messages  is  not  sufficient  to  preclude  this  possibility. 

CPSA’s  enrich-by-need  approach  is  a  form  of  model  finding,  rather  than 
theorem  proving.  In  order  to  use  CPSA’s  results  to  our  advantage  we  need 
to  express  its  conclusions  in  the  logical  theory  Tfmfj(J{).  For  that  purpose 
we  transform  our  skeletons  into  formulas  in  order-sorted  logic  and  define 
what  it  means  for  a  bundle  to  satisfy  these  formulas.  The  sorts  are  the 
message  algebra  sorts  augmented  with  a  sort  Z  for  strands  and  sort  N  for 
nodes.  The  atomic  formula  htin(z,  h,  c)  asserts  that  strand  z  has  a  length 
of  at  least  h,  and  its  trace  is  a  prefix  of  trace  c.  The  formula  no  -C  n\ 
asserts  node  n0  precedes  node  n\.  The  formula  non(t)  asserts  that  message  t 
is  non-originating,  and  uniq(f,n)  asserts  that  message  t  uniquely  originates 
at  node  n.  Finally,  the  formula  sends (n,t)  asserts  that  the  event  at  node  n 
is  a  transmission  of  message  t.  The  roles  of  the  protocol  serve  as  function 
symbols.  A  skeleton  A  is  represented  by  the  conjunction  of  all  facts  true  in 
the  skeleton. 

We  encode  an  entire  CPSA  analysis  by  first  encoding  the  input  skeleton 
A0  and  the  output  skeletons  {Bj}ig/.  The  analysis  is  then  encoded  as  an 
implication.  A  formula  $o  describing  the  input  Ao,  is  the  hypothesis  of 
the  conditional.  The  disjunction  of  the  formulas  \E h  describing  the  outputs 
form  the  conclusion.  When  CPSA  discovers  that  there  are  no  bundles 
compatible  with  the  initial  skeleton,  the  conclusion  is  encoded  as  the  empty 
disjunction,  _L. 

The  satisfaction  relation  is  defined  using  the  clauses  in  Fig.  7.  It  relates 
a  bundle,  a  variable  assignment,  and  a  formula:  T,  a  \=  d*.  A  bundle  T 
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T,a  h  x  =  y 
T,  a  |=  htin(z,  h,  c ) 

T,  a  |=  n0  -C  n± 

T,  a  j=  non (t) 

T,  a  \=  uniq(t,  n ) 
T,  a  j=  sends(n,  t ) 


iff  a(x)  =  a(y); 
iff  |©T(a(z))|  >  a(h)  and 
@x(a(^))  is  a  prefix  of  a(c); 
iff  a(n0)  -<x  a(ni); 
iff  non(0 x,  «(£)); 
iff  uniq(Qr,  ca(t),  a(n)); 
iff  evtQr(a(n ))  =  +a(t). 


Figure  7:  Satisfaction 


is  described  by  a  skeleton  iff  the  skeleton’s  sentence  $  satisfies  T,  written 
T  |=  <f>. 

The  formula  $o  that  specifies  the  initial  skeleton  relevant  to  the  Envelope 
Protocol  security  goal  is 

htin(T,4,  alice(v,  esk,  k,  aik,7i,p))  A  sends(ni,u) 

A  sends(n2,  {|  g0,  pcr(ex(g2,  ex(n, ?)))}«*)  ^ 

A  non(aik)  A  non(esfc) 

A  uniq(n,  (z,  1))  A  uniq(v,  (z,  4)), 

where  v  :  D,  esk  :  S,  k ,  aik  :  A,  n  :  E,p  :  T,  z  :  Z,  n\,n2  :  N. 

The  output  skeleton  Bi  is  much  larger  and  its  formula  4b  is  correspond¬ 
ingly  large.  The  relevant  part  of  this  formula  representing  the  fragment  in 
Fig.  6  is 

htin(^i,  3,  extend(esk ,  k ,  pcr(p),n )) 

A  htin(z2,  3,  extend(esk ,  k,  pcr(ex(n,p)),g1))  (3) 

A  htin(z3,  3,  extend(esk ,  k,  pcr{ex{n,p)),  g2)), 

where  esk,  k  :  S ,p  :  T,  n  :  E,  Z\,  z2,  £3  :  Z.  The  full  formula  for  Bj  has  more 
conjuncts. 

Let  the  vector  x  contain  the  variables  that  appear  free  in  4>0,  and  possibly 
also  in  4/ 1 ,  and  let  the  vector  y  contain  the  variables  that  occur  free  in  4b 
only.  Summarizing  CPSA’s  analysis  for  the  Envelope  Protocol  in  Tbnd(Jl),  we 
have: 

Lemma  2.  Vi.  ($0  D  3  y.  4b),  where  $0,  4b  are  as  in  formulas  2-3. 

However,  unlike  Lemma  1,  this  lemma  was  not  derived  within  PVS. 
Rather,  it  is  true  if  CPSA’s  analysis  is  correct.  We  import  it  into  PVS  as 
an  axiom. 
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Lemma  2  is  however  something  capable  of  direct  proof  within  PVS  as  a 
theorem  of  Tbnd(Jl).  Indeed,  there  is  precedent  for  constructing  proofs  of  this 
sort.  Meier  et  al.  [19]  show  how  to  instrument  a  different  protocol  analysis 
tool,  called  Scyther  [ '],  so  that  each  step  it  takes  generates  a  lemma  in  the 
Isabelle  proof  system.  Then,  they  use  reusable  results  proved  once  within 
Isabelle  to  discharge  these  lemmas.  Curiously,  one  of  the  main  lemmas,  the 
authentication  test  theorem  in  an  earlier  form,  has  already  been  established 
within  PVS  [  ].  Thus,  it  appears  possible,  although  a  substantial  undertak¬ 

ing,  to  transform  CPSA  from  a  central  piece  of  our  analysis  infrastructure  to 
a  heuristic  to  guide  derivations  within  PVS. 

5  Reasoning  About  Messages  and  State 

This  section  presents  some  details  of  the  theory  Tannot(Jl,  -w).  We  then  show 
how  the  previous  lemmas  combine  allowing  us  to  conclude  that  the  security 
goal  of  the  Envelope  Protcol  is  achieved. 

In  Tannot( II,  -w),  the  state  transitions  associated  with  a  protocol  are  spec¬ 
ified  by  annotating  some  events  in  a  role  of  II  with  a  subset  of  the  transition 
relation  -w.  The  reason  for  annotating  events  with  a  subset  of  the  transition 
relation,  rather  than  an  element,  will  be  explained  at  the  end  of  this  sec¬ 
tion.  We  use  _L  for  an  event  that  is  not  annotated,  and  '[a  for  an  event  that 
is  annotated  with  a.  The  events  that  are  annotated  are  the  transmissions 
associated  with  receive-transmit  pairs  of  state-bearing  messages. 

•••  =>  ~{\  go,  Per  (m0)$#k  =>  +{\go,Pcr{m1)\}#k  =>  ■  ■  ■ 

_L  T  rw  T 

A  node  in  a  bundle  inherits  its  annotation  from  its  role.  The  set  of 
nodes  in  T  that  are  annotated  is  anode( T),  and  onno(T ,  n,  a)  asserts  that 
node  n  in  T  is  annotated  with  some  a  C-w.  In  the  Envelope  Protocol,  a  node 
annotated  by  a  TPM  extend  role  cannot  be  an  instance  of  any  other  role. 

Our  goal  is  to  reason  only  with  bundles  that  respect  state  semantics. 
A  bundle  T  with  a  transition  annotating  role  assignment  is  compatible  [1 1, 
Def.  11]  with  transition  relation  -w  if  there  exists  l  G  N,  /  G  anode( T)  — y 
{0, 1, . . . ,  £  —  1},  and  i r  G  path  such  that 

1.  /  is  bijective; 

2.  Vno,ni  G  anode(T).  no  -<  n\  /(n0)  <  /(ni); 
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3.  Vn  e  anode(Y),  a  C  -w. 

anno( T,  n,  a)  D  (n(f(n)),n(f(n)  +  1))  e  a. 

A  bundle  that  satisfies  Tannot  (II.  -w)  is  a  compatible  bundle. 

Because  the  function  /  is  bijective,  all  annotated  nodes  in  a  compatible 
bundle  are  totally  ordered.  Looking  back  at  Fig.  6,  either  the  nodes  in  the 
leftmost  strand  precede  the  nodes  in  the  rightmost  strand  or  succeed  them. 

The  compatible  bundle  assumption  allows  one  to  infer  the  existence  of 
nodes  that  are  not  revealed  by  CPSA.  In  the  case  of  the  Envelope  Protocol 
this  is  done  by  importing  the  Prefix  Boot  Extend  Lemma  (Lemma  1)  from 
T. stated)  into  the  strand  space  world  by  proving  the  following  lemma  (stated 
here  in  plain  English)  within  Tannot (II,  using  PVS.  Its  proof  uses  the  full 
content  of  compatibility. 

Lemma  3  (Bridge,  informally).  Let  T  be  a  compatible  bundle,  containing 
two  annotated  nodes,  no  -<  n\,  where  n\’s  state  has  a  value  t.  Then  either 
no’s  state  is  a  subterm  of  n  i  ’s  state,  or  else  there  is  an  extend  node  between 
them  that  incorporates  t. 

This  Bridge  Lemma  implies  there  is  another  extend  strand  between  the 
two  strands  that  represent  the  state  split.  This  theorem  is  also  proved  with 
PVS  in  Tannot( II,~*)  ;  however,  syntactically  it  is  a  sentence  of  the  language 
of  Tbnd( II).  That  is,  Tannot(U,  -w)  adds  information  to  X&nd(II),  because 
Tannoti H,  ~~»)’s  models  are  only  the  compatible  bundles.  The  theorem  is  the 
following. 

Theorem  4  (Inferred  Extend  Strand). 

Vz0,  Zi  :  Z,  t,  t0,  t\  :  T,  m0,  m\  :  M,  esk0,  esk i,  k0,  k\  :  A. 
htin(z0, 2,  extend(esk0 ,  k0,  per  (mo),  to)) 

A  htin(zi,  2,  extend (esk\,  k\,  pcr(m\),ti)) 

A  (zo,  1)  (zi,  0)  A  mi  has  t 
D  subterm(ex(to,  m0),  m±) 

V  3z  :  Z,  m  :  M,  esk ,  k  :  A. 
htin(z,  2,  extend(esk,  k ,  perfm ),  t)) 

A  (z0, 1)  <  (z,  0)  A  (z,  1)  <C  (zi,  0) 

Theorem  4  implies  that  Fig.  6  has  an  additional  extend  strand,  as  shown 
in  Fig.  8.  Restarting  CPSA  with  Ao  enriched  with  all  of  this  additional  infor¬ 
mation,  we  learn  that  no  such  execution  is  possible.  This  justifies  Security 
Goal  1. 
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■>  extend 


Figure  8:  Inferred  Extend  Strand 

Our  Method.  We  have  now  completed  an  illustration  of  the  hybrid  method 
for  analyzing  a  protocol  with  state.  We  took  the  following  key  steps. 

1.  We  defined  states  and  a  transition  relation  representing  a  TPM  frag¬ 
ment.  We  proved  a  key  lemma  (Lemma  1)  in  the  resulting  theory 

T state  ( )  ■ 

2.  We  defined  the  envelope  protocol  as  a  PVS  theory  7^(11).  We  en¬ 
coded  the  states  as  certain  encrypted  messages,  and  used  state-passing 
to  represent  the  actions  of  the  TPM  in  protocol  roles.  The  encoding 
function  is  an  injective  function  g.  We  connect  •  ■  •  —  t0  =>•  +ti  •  •  • ,  as 
a  state-passing  representation,  with  Tstate(~^>)  by  annotating  the  role 
with  the  annotation: 

{(m0,  mi)  |  t0  =  g(m0)  A  t1  =  g(m i)}  fl 
We  prove  bridge  lemmas  along  the  lines  of  Lemma  3. 

3.  Independently,  we  define  II  in  the  CPSA  input  language,  and  query 
CPSA  with  a  starting  point  A0  as  in  our  security  goal.  We  translate  the 
results  in  the  form  of  state  analysis  sentences  such  as  Lemma  2,  which 
we  use  within  PVS  as  axioms. 

4.  From  a  state  analysis  sentence  and  bridge  lemmas,  we  deduce  con¬ 
clusions  about  all  compatible  bundles  of  II  and  Thm.  4  was  an 
example.  These  theorems  may  already  establish  our  security  goals. 

5.  Alternatively,  the  conclusions  about  compatible  bundles  may  give  us 
an  enriched  starting  point,  which  we  can  bring  back  into  CPSA,  as  we 
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did  here  to  determine  that  Security  Goal  1  is  achieved,  and  A0  cannot 
appear  in  any  compatible  bundle. 

We  have  also  applied  this  method  to  several  simple  protocols  besides  the 
Envelope  Protocol.  The  steps  in  applying  the  method  are  always  the  same. 
While  the  application  of  these  ideas  is  routine,  it  is  quite  time  consuming.  A 
goal  of  future  research  is  to  automate  much  more  of  the  method. 

But  why  annotate  events  with  subsets  of  the  transition  relation  rather 
than  elements  of  it?  The  extend  role  does  not  guarantee  it  receives  a  state¬ 
bearing  message  of  the  form  {|  g0,  pcr(m0)|}#fc-  It  says  only  that  the  incoming 
message  has  the  form  {|  g0,to|}#fc-  We  must  eliminate  strands  in  which  t0  is 
not  in  the  range  of  the  per  function.  That  is  why  we  use  the  annotation 
shown  in  Step  2. 

A  bundle  in  which  a  received  state  encoding  message  is  not  in  the  range 
of  the  per  function  will  have  a  node  annotated  with  the  empty  set.  This 
bundle  does  not  respect  state  semantics  and  is  eliminated  from  consideration 
by  the  definition  of  compatibility. 

6  Related  Work  and  Conclusion 

Related  Work.  The  problem  of  reasoning  about  protocols  and  state  has 
been  an  increasing  focus  over  the  past  several  years.  Protocols  using  Trusted 
Platform  Modules  (TPMs)  and  other  hardware  security  modules  (HSMs) 
have  provided  one  of  the  main  motivations  for  this  line  of  work. 

A  line  of  work  was  motivated  by  HSMs  used  in  the  banking  industry  [16, 
26] .  This  work  identified  the  effects  of  persistent  storage  as  complicating  the 
security  analysis  of  the  devices.  Much  work  explored  the  significance  of  this 
problem  in  the  case  of  PKCS  #11  style  devices  for  key  management  [5,  6,  12]. 
These  papers,  while  very  informative,  exploited  specific  characteristics  of  the 
HSM  problem;  in  particular,  the  most  important  mutable  state  concerns  the 
attributes  that  determine  the  usage  permitted  for  keys.  These  attributes 
should  usually  be  handled  in  a  monotonic  way,  so  that  once  an  attribute  has 
been  set,  it  will  not  be  removed.  This  justifies  using  abstractions  that  are 
more  typical  of  standard  protocol  analysis. 

In  the  TPM-oriented  line  of  work,  an  early  example  using  an  automata- 
based  model  was  by  Gurgens  et  al.  [13].  It  identihed  some  protocol  failures 
due  to  the  weak  binding  between  a  TPM-resident  key  and  an  individual 
person.  Datta  et  al.’s  “A  Logic  of  Secure  Systems”  [9]  presents  a  dynamic 
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logic  in  the  style  of  PCL  [8]  that  can  be  used  to  reason  about  programs  that 
both  manipulate  memory  and  also  transmit  and  receive  cryptographically 
constructed  messages.  Because  it  has  a  very  detailed  model  of  execution, 
it  appears  to  require  a  level  of  effort  similar  to  (multithreaded)  program 
verification,  unlike  the  less  demanding  forms  of  protocol  analysis. 

Modershcim’s  set-membership  abstraction  [20]  works  by  identifying  all 
data  values  (e.g.  keys)  that  have  the  same  properties;  a  change  in  properties 
for  a  given  key  K  is  represented  by  translating  all  facts  true  for  K's  old 
abstraction  into  new  facts  true  of  K ’s  new  abstraction.  The  reasoning  is  still 
based  on  monotonic  methods  (namely  Horn  clauses).  Thus,  it  seems  not  to 
be  a  strategy  for  reasoning  about  TPM  usage,  for  instance  in  the  envelope 
protocol. 

The  paper  [14]  by  one  of  us  developed  a  theory  for  protocols  (within  strand 
spaces)  as  constrained  by  state  transitions,  and  applied  that  theory  to  a  fair 
exchange  protocol.  It  introduced  the  key  notion  of  compatibility  between 
a  protocol  execution  (“bundle”)  and  a  state  history.  In  the  current  paper 
we  will  also  rely  on  the  same  notion  of  compatibility,  which  was  somewhat 
hidden  in  [  ].  However,  the  current  paper  does  not  separate  the  protocol 

behavior  from  state  history  as  sharply  as  did  [  ]. 

A  group  of  papers  by  Ryan  with  Delaune,  Kremer,  and  Steel  [10,  11],  and 
with  Arapinis  and  Ritter  [3]  aim  broadly  to  adapt  ProVerif  for  protocols  that 
interact  with  long-term  state.  ProVerif  [  I ,  ]  is  a  Horn-clause  based  protocol 
analyzer  with  a  monotonic  method:  in  its  normal  mode  of  usage,  it  tracks 
the  messages  that  the  adversary  can  obtain,  and  assumes  that  these  will 
always  remain  available.  Ryan  et  ah  address  the  inherent  non-monotonicity 
of  adversary’s  capabilities  by  using  a  two-place  predicate  att(w,  m)  meaning 
that  the  adversary  may  possess  m  at  some  time  when  the  long-term  state 
is  u.  In  [3],  the  authors  provide  a  compiler  from  a  process  algebra  with 
state-manipulating  operators  to  sets  of  Horn  clauses  using  this  primitive. 
In  [11],  the  authors  analyze  protocols  with  specific  syntactic  properties  that 
help  ensure  termination  of  the  analysis.  In  particular,  they  bound  the  state 
values  that  may  be  stored  in  the  TPMs.  In  this  way,  the  authors  verify  two 
protocols  using  the  TPM,  including  the  envelope  protocol. 

One  advantage  of  the  current  approach  relative  to  the  ProVerif  approach 
is  that  it  works  within  a  single  comprehensive  framework,  namely  that  of 
strand  spaces.  Proofs  about  state  within  pvs  succeeded  only  when  definitions 
and  lemmas  were  properly  refined,  and  all  essential  details  represented.  As 
a  result,  our  confidence  is  high  that  our  proofs  about  protocols  have  their 
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intended  meaning. 


Conclusion.  The  proof  of  the  Envelope  Protocol  security  goal  presented 
here  shows  a  detailed  example  of  our  method  for  applying  CPSA  to  systems 
that  include  a  state  component.  CPSA  was  coupled  with  about  2400  lines  of 
PVS  specifications  to  produce  a  proof  of  a  difficult  security  goal.  The  method 
is  sound  due  to  the  use  of  the  common  foundation  of  strand  space  theory  for 
all  reasoning. 

The  approach  could  be  improved  in  two  main  ways.  First,  the  proofs 
within  PVS  are  strenuous.  We  would  like  to  develop  a  method  in  which — 
apart  perhaps  from  a  few  key  reusable  lemmas  in  the  state  theory  Tstate(~^>)— 
the  remainder  of  the  reasoning  concerning  both  state  and  protocol  behavior 
occurs  automatically  in  CPSA’s  automated,  enrich-by-need  manner.  Second, 
there  is  some  artificiality  in  the  state-threading  representation  that  we  have 
used  here.  It  requires  the  protocol  description  to  make  explicit  the  details 
of  the  full  state,  and  to  express  each  state  change  in  a  syntactic,  template- 
based  form.  Moreover,  the  state  information  is  also  redundantly  encoded  in 
the  annotations  that  appear  in  Tannot(Jl,  Our  earlier  work  [  ]  instead 

encapsulated  all  of  the  state  information  in  a  labeled  transition  relation.  The 
protocol  definitions  contain  only  a  type  of  “neutral  node”  which  are  neither 
transmissions  nor  receptions.  These  nodes  are  associated  with  the  same  labels 
as  appear  in  labeled  transitions.  This  allows  us  to  define  “compatibility,” 
and  to  work  with  protocol  and  state  definitions  as  independent  modules.  We 
intend  also  to  explore  this  style  of  definition. 
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